tests/qtest/libqtest.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
When the length of mname is less than 5, memcpy ("xenfv", mname, 5) will cause
heap buffer overflow. Therefore, use strcmp to avoid this problem.
The asan showed stack:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f2f4 at
pc 0x7f65d8cc2225 bp 0x7ffe93cc5a60 sp 0x7ffe93cc5208 READ of size 5 at
0x60200000f2f4 thread T0
#0 0x7f65d8cc2224 in memcmp (/lib64/libasan.so.5+0xdf224)
#1 0x5632c20be95b in qtest_cb_for_every_machine tests/qtest/libqtest.c:1282
#2 0x5632c20b7995 in main tests/qtest/test-hmp.c:160
#3 0x7f65d88fed42 in __libc_start_main (/lib64/libc.so.6+0x26d42)
#4 0x5632c20b72cd in _start (build/tests/qtest/test-hmp+0x542cd)
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Gan Qixin <ganqixin@huawei.com>
---
Cc: Thomas Huth <thuth@redhat.com>
Cc: Laurent Vivier <lvivier@redhat.com>
---
tests/qtest/libqtest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index e49f3a1e45..e8179a3509 100644
--- a/tests/qtest/libqtest.c
+++ b/tests/qtest/libqtest.c
@@ -1281,7 +1281,7 @@ void qtest_cb_for_every_machine(void (*cb)(const char *machine),
g_assert(qstr);
mname = qstring_get_str(qstr);
/* Ignore machines that cannot be used for qtests */
- if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
+ if (!strcmp("xenfv", mname) || g_str_equal("xenpv", mname)) {
continue;
}
if (!skip_old_versioned || !qtest_is_old_versioned_machine(mname)) {
--
2.23.0
On 04/01/2021 15.10, Gan Qixin wrote:
> When the length of mname is less than 5, memcpy ("xenfv", mname, 5) will cause
> heap buffer overflow. Therefore, use strcmp to avoid this problem.
>
> The asan showed stack:
>
> ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f2f4 at
> pc 0x7f65d8cc2225 bp 0x7ffe93cc5a60 sp 0x7ffe93cc5208 READ of size 5 at
> 0x60200000f2f4 thread T0
> #0 0x7f65d8cc2224 in memcmp (/lib64/libasan.so.5+0xdf224)
> #1 0x5632c20be95b in qtest_cb_for_every_machine tests/qtest/libqtest.c:1282
> #2 0x5632c20b7995 in main tests/qtest/test-hmp.c:160
> #3 0x7f65d88fed42 in __libc_start_main (/lib64/libc.so.6+0x26d42)
> #4 0x5632c20b72cd in _start (build/tests/qtest/test-hmp+0x542cd)
>
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Gan Qixin <ganqixin@huawei.com>
> ---
> Cc: Thomas Huth <thuth@redhat.com>
> Cc: Laurent Vivier <lvivier@redhat.com>
> ---
> tests/qtest/libqtest.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
> index e49f3a1e45..e8179a3509 100644
> --- a/tests/qtest/libqtest.c
> +++ b/tests/qtest/libqtest.c
> @@ -1281,7 +1281,7 @@ void qtest_cb_for_every_machine(void (*cb)(const char *machine),
> g_assert(qstr);
> mname = qstring_get_str(qstr);
> /* Ignore machines that cannot be used for qtests */
> - if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
> + if (!strcmp("xenfv", mname) || g_str_equal("xenpv", mname)) {
Using strcmp() is likely wrong here, since we're talking about strings like
"xenfv-4.2" here ... so I guess strncmp(..., 5) would be the right way to go?
Thomas
> From: Thomas Huth [mailto:thuth@redhat.com]
> Sent: Tuesday, January 5, 2021 5:47 PM
> To: ganqixin <ganqixin@huawei.com>; qemu-devel@nongnu.org;
> qemu-trivial@nongnu.org
> Cc: Chenqun (kuhn) <kuhn.chenqun@huawei.com>; Zhanghailiang
> <zhang.zhanghailiang@huawei.com>; Euler Robot
> <euler.robot@huawei.com>; Laurent Vivier <lvivier@redhat.com>
> Subject: Re: [PATCH] qtest/libqtest.c: fix heap-buffer-overflow in
> qtest_cb_for_every_machine()
>
> On 04/01/2021 15.10, Gan Qixin wrote:
> > When the length of mname is less than 5, memcpy ("xenfv", mname, 5)
> > will cause heap buffer overflow. Therefore, use strcmp to avoid this
> problem.
> >
> > The asan showed stack:
> >
> > ERROR: AddressSanitizer: heap-buffer-overflow on address
> > 0x60200000f2f4 at pc 0x7f65d8cc2225 bp 0x7ffe93cc5a60 sp
> > 0x7ffe93cc5208 READ of size 5 at
> > 0x60200000f2f4 thread T0
> > #0 0x7f65d8cc2224 in memcmp (/lib64/libasan.so.5+0xdf224)
> > #1 0x5632c20be95b in qtest_cb_for_every_machine
> tests/qtest/libqtest.c:1282
> > #2 0x5632c20b7995 in main tests/qtest/test-hmp.c:160
> > #3 0x7f65d88fed42 in __libc_start_main (/lib64/libc.so.6+0x26d42)
> > #4 0x5632c20b72cd in _start (build/tests/qtest/test-hmp+0x542cd)
> >
> > Reported-by: Euler Robot <euler.robot@huawei.com>
> > Signed-off-by: Gan Qixin <ganqixin@huawei.com>
> > ---
> > Cc: Thomas Huth <thuth@redhat.com>
> > Cc: Laurent Vivier <lvivier@redhat.com>
> > ---
> > tests/qtest/libqtest.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c index
> > e49f3a1e45..e8179a3509 100644
> > --- a/tests/qtest/libqtest.c
> > +++ b/tests/qtest/libqtest.c
> > @@ -1281,7 +1281,7 @@ void qtest_cb_for_every_machine(void
> (*cb)(const char *machine),
> > g_assert(qstr);
> > mname = qstring_get_str(qstr);
> > /* Ignore machines that cannot be used for qtests */
> > - if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv",
> mname)) {
> > + if (!strcmp("xenfv", mname) || g_str_equal("xenpv", mname)) {
>
> Using strcmp() is likely wrong here, since we're talking about strings like
> "xenfv-4.2" here ... so I guess strncmp(..., 5) would be the right way to go?
Yes, using strcmp() is wrong, I will modify this patch. Thanks for your reply!
© 2016 - 2024 Red Hat, Inc.